So far, we have looked at different code injection techniques to execute malicious code. Another reason an attacker injects code (mostly DLL, but it can also be an executable or shellcode) into the legitimate (target) process is to hook the API calls made by the target process. Once a code is injected into the target process, it has full access to the process memory and can modify its components. The ability to alter the process memory components allows an attacker to replace the entries in the IAT or modify the API function itself; this technique is referred to as hooking. By hooking an API, an attacker can control the execution path of the program and re route it to the malicious code of his choice. The malicious function ...